rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

trunk: add basic ubuntu support

Browse Source
This commit is contained in:
Chris PeBenito 2008-02-05 18:24:43 +00:00
parent ce8a5299a8
commit 12cf805e1c
12 changed files with 159 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -184,6 +184,10 @@ ifeq "$(DISTRO)" "rhel4"
M4PARAM += -D distro_redhat M4PARAM += -D distro_redhat
endif endif
ifeq "$(DISTRO)" "ubuntu"
M4PARAM += -D distro_debian
endif
ifneq ($(OUTPUT_POLICY),) ifneq ($(OUTPUT_POLICY),)
CHECKPOLICY += -c $(OUTPUT_POLICY) CHECKPOLICY += -c $(OUTPUT_POLICY)
endif endif

8
policy/modules/services/ssh.if
View File

@ -507,9 +507,6 @@ template(`ssh_server_template', `
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t) userdom_search_all_users_home_dirs($1_t)
# Allow checking users mail at login
mta_getattr_spool($1_t)
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t) fs_read_nfs_files($1_t)
') ')
@ -522,6 +519,11 @@ template(`ssh_server_template', `
kerberos_use($1_t) kerberos_use($1_t)
') ')
optional_policy(`
# Allow checking users mail at login
mta_getattr_spool($1_t)
')
optional_policy(` optional_policy(`
nscd_socket_use($1_t) nscd_socket_use($1_t)
') ')

30
policy/modules/system/authlogin.te
View File

@ -122,6 +122,12 @@ logging_send_syslog_msg(pam_t)
userdom_use_unpriv_users_fds(pam_t) userdom_use_unpriv_users_fds(pam_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(pam_t)
')
')
optional_policy(` optional_policy(`
locallogin_use_fds(pam_t) locallogin_use_fds(pam_t)
') ')
@ -223,6 +229,12 @@ seutil_read_file_contexts(pam_console_t)
userdom_dontaudit_use_unpriv_user_fds(pam_console_t) userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(pam_console_t)
')
')
optional_policy(` optional_policy(`
gpm_getattr_gpmctl(pam_console_t) gpm_getattr_gpmctl(pam_console_t)
gpm_setattr_gpmctl(pam_console_t) gpm_setattr_gpmctl(pam_console_t)
@ -264,6 +276,12 @@ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
userdom_dontaudit_use_sysadm_terms(system_chkpwd_t) userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(system_chkpwd_t)
')
')
######################################## ########################################
# #
# updpwd local policy # updpwd local policy
@ -292,6 +310,12 @@ logging_send_syslog_msg(updpwd_t)
miscfiles_read_localization(updpwd_t) miscfiles_read_localization(updpwd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(updpwd_t)
')
')
######################################## ########################################
# #
# Utempter local policy # Utempter local policy
@ -324,6 +348,12 @@ logging_search_logs(utempter_t)
# Allow utemper to write to /tmp/.xses-* # Allow utemper to write to /tmp/.xses-*
userdom_write_unpriv_users_tmp_files(utempter_t) userdom_write_unpriv_users_tmp_files(utempter_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(utempter_t)
')
')
optional_policy(` optional_policy(`
nscd_socket_use(utempter_t) nscd_socket_use(utempter_t)
') ')

6
policy/modules/system/getty.te
View File

@ -114,6 +114,12 @@ ifdef(`distro_gentoo',`
sysnet_dontaudit_read_config(getty_t) sysnet_dontaudit_read_config(getty_t)
') ')
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(getty_t)
')
')
optional_policy(` optional_policy(`
mta_send_mail(getty_t) mta_send_mail(getty_t)
') ')

11
policy/modules/system/init.te
View File

@ -163,6 +163,12 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t,initctl_t,fifo_file) fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
') ')
ifndef(`distro_ubuntu',`
# Run the shell in the sysadm role for single-user mode.
# causes problems with upstart
userdom_shell_domtrans_sysadm(init_t)
')
optional_policy(` optional_policy(`
auth_rw_login_records(init_t) auth_rw_login_records(init_t)
') ')
@ -175,11 +181,6 @@ optional_policy(`
unconfined_domain(init_t) unconfined_domain(init_t)
') ')
# Run the shell in the sysadm_t domain for single-user mode.
optional_policy(`
userdom_shell_domtrans_sysadm(init_t)
')
######################################## ########################################
# #
# Init script local policy # Init script local policy

6
policy/modules/system/libraries.te
View File

@ -80,6 +80,12 @@ logging_send_syslog_msg(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t) userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(ldconfig_t)
')
')
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
optional_policy(` optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)

6
policy/modules/system/locallogin.te
View File

@ -138,6 +138,12 @@ userdom_use_unpriv_users_fds(local_login_t)
userdom_sigchld_all_users(local_login_t) userdom_sigchld_all_users(local_login_t)
userdom_create_all_users_keys(local_login_t) userdom_create_all_users_keys(local_login_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(local_login_t)
')
')
tunable_policy(`read_default_t',` tunable_policy(`read_default_t',`
files_list_default(local_login_t) files_list_default(local_login_t)
files_read_default_files(local_login_t) files_read_default_files(local_login_t)

18
policy/modules/system/logging.te
View File

@ -164,6 +164,12 @@ seutil_dontaudit_read_config(auditd_t)
userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_sysadm_home_dirs(auditd_t) userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(auditd_t)
')
')
optional_policy(` optional_policy(`
seutil_sigchld_newrole(auditd_t) seutil_sigchld_newrole(auditd_t)
') ')
@ -220,6 +226,12 @@ mls_file_read_all_levels(klogd_t)
userdom_dontaudit_search_sysadm_home_dirs(klogd_t) userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(klogd_t)
')
')
optional_policy(` optional_policy(`
udev_read_db(klogd_t) udev_read_db(klogd_t)
') ')
@ -357,6 +369,12 @@ ifdef(`distro_suse',`
files_var_lib_filetrans(syslogd_t,devlog_t,sock_file) files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
') ')
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(syslogd_t)
')
')
optional_policy(` optional_policy(`
inn_manage_log(syslogd_t) inn_manage_log(syslogd_t)
') ')

18
policy/modules/system/modutils.te
View File

@ -112,6 +112,12 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t) seutil_read_file_contexts(insmod_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(insmod_t)
')
')
if( ! secure_mode_insmod ) { if( ! secure_mode_insmod ) {
kernel_domtrans_to(insmod_t,insmod_exec_t) kernel_domtrans_to(insmod_t,insmod_exec_t)
} }
@ -205,6 +211,12 @@ files_list_home(depmod_t)
userdom_read_staff_home_content_files(depmod_t) userdom_read_staff_home_content_files(depmod_t)
userdom_read_sysadm_home_content_files(depmod_t) userdom_read_sysadm_home_content_files(depmod_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(depmod_t)
')
')
optional_policy(` optional_policy(`
# Read System.map from home directories. # Read System.map from home directories.
unconfined_read_home_content_files(depmod_t) unconfined_read_home_content_files(depmod_t)
@ -282,3 +294,9 @@ ifdef(`distro_gentoo',`
consoletype_exec(update_modules_t) consoletype_exec(update_modules_t)
') ')
') ')
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(update_modules_t)
')
')

6
policy/modules/system/mount.te
View File

@ -128,6 +128,12 @@ ifdef(`distro_redhat',`
') ')
') ')
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(mount_t)
')
')
tunable_policy(`allow_mount_anyfile',` tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t) auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t) auth_read_all_files_except_shadow(mount_t)

42
policy/modules/system/selinuxutil.te
View File

@ -145,6 +145,12 @@ libs_use_shared_libs(checkpolicy_t)
userdom_use_all_users_fds(checkpolicy_t) userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(checkpolicy_t)
')
')
######################################## ########################################
# #
# Load_policy local policy # Load_policy local policy
@ -183,6 +189,12 @@ seutil_libselinux_linked(load_policy_t)
userdom_use_all_users_fds(load_policy_t) userdom_use_all_users_fds(load_policy_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(load_policy_t)
')
')
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
# cjp: cover up stray file descriptors. # cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write; dontaudit load_policy_t selinux_config_t:file write;
@ -276,6 +288,12 @@ userdom_use_unpriv_users_fds(newrole_t)
userdom_dontaudit_search_all_users_home_content(newrole_t) userdom_dontaudit_search_all_users_home_content(newrole_t)
userdom_search_all_users_home_dirs(newrole_t) userdom_search_all_users_home_dirs(newrole_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
')
')
# if secure mode is enabled, then newrole # if secure mode is enabled, then newrole
# can only transition to unprivileged users # can only transition to unprivileged users
if(secure_mode) { if(secure_mode) {
@ -329,6 +347,12 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t) seutil_libselinux_linked(restorecond_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
')
')
optional_policy(` optional_policy(`
rpm_use_script_fds(restorecond_t) rpm_use_script_fds(restorecond_t)
') ')
@ -396,6 +420,12 @@ ifndef(`direct_sysadm_daemon',`
') ')
') ')
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
')
')
optional_policy(` optional_policy(`
daemontools_domtrans_start(run_init_t) daemontools_domtrans_start(run_init_t)
') ')
@ -471,6 +501,12 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t) files_read_var_lib_symlinks(semanage_t)
') ')
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(semanage_t)
')
')
# cjp: need a more general way to handle this: # cjp: need a more general way to handle this:
ifdef(`enable_mls',` ifdef(`enable_mls',`
# read secadm tmp files # read secadm tmp files
@ -575,6 +611,12 @@ ifdef(`distro_redhat', `
fs_relabel_tmpfs_chr_file(setfiles_t) fs_relabel_tmpfs_chr_file(setfiles_t)
') ')
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(setfiles_t)
')
')
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
optional_policy(` optional_policy(`
udev_dontaudit_rw_dgram_sockets(setfiles_t) udev_dontaudit_rw_dgram_sockets(setfiles_t)

12
policy/modules/system/sysnetwork.te
View File

@ -142,6 +142,12 @@ ifdef(`distro_redhat', `
files_exec_etc_files(dhcpc_t) files_exec_etc_files(dhcpc_t)
') ')
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(dhcpc_t)
')
')
optional_policy(` optional_policy(`
consoletype_domtrans(dhcpc_t) consoletype_domtrans(dhcpc_t)
') ')
@ -297,6 +303,12 @@ seutil_use_runinit_fds(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t) userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(ifconfig_t)
')
')
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
optional_policy(` optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t) dev_dontaudit_rw_cardmgr(ifconfig_t)